File: security_delegate.h

package info (click to toggle)
chromium 120.0.6099.224-1~deb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 6,112,112 kB
  • sloc: cpp: 32,907,025; ansic: 8,148,123; javascript: 3,679,536; python: 2,031,248; asm: 959,718; java: 804,675; xml: 617,256; sh: 111,417; objc: 100,835; perl: 88,443; cs: 53,032; makefile: 29,579; fortran: 24,137; php: 21,162; tcl: 21,147; sql: 20,809; ruby: 17,735; pascal: 12,864; yacc: 8,045; lisp: 3,388; lex: 1,323; ada: 727; awk: 329; jsp: 267; csh: 117; exp: 43; sed: 37
file content (71 lines) | stat: -rw-r--r-- 2,666 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef COMPONENTS_EXO_SECURITY_DELEGATE_H_
#define COMPONENTS_EXO_SECURITY_DELEGATE_H_

#include <memory>
#include <string>

namespace aura {
class Window;
}

namespace exo {

// Each wayland server managed by exo, including the default server, will have a
// single delegate associated with it to control security-sensitive features of
// the server, e.g.:
//  - Availability of privileged APIs used by trusted clients only.
//  - Handling of certain mechanisms differently for different products (arc,
//    crostini, etc)
// This allows exo to make strong guarantees about the relationship between the
// wl clients and the SecurityDelegate the server owns.
//
// See go/secure-exo-ids and go/securer-exo-ids for more details.
class SecurityDelegate {
 public:
  // See |CanSetBounds()|.
  enum SetBoundsPolicy {
    // By default, clients may not set window bounds. Requests are ignored.
    IGNORE,

    // Clients may set bounds, but Exo may DCHECK on requests for windows with
    // server-side decoration.
    DCHECK_IF_DECORATED,

    // Clients may set bounds for any window. Exo will expand the requested
    // bounds to account for server-side decorations, if any.
    ADJUST_IF_DECORATED,
  };

  // Get a SecurityDelegate instance with all of the defaults.
  static std::unique_ptr<SecurityDelegate> GetDefaultSecurityDelegate();

  virtual ~SecurityDelegate();

  // "Self-activation" is a security sensitive windowing operation that is a
  // common paradigm in X11. The need to self-activate is controlled
  // per-subsystem, i.e. a product like ARC++ knows that its windows should be
  // able to self activate, whereas Crostini knows they usually shouldn't.
  virtual bool CanSelfActivate(aura::Window* window) const;

  // Called when a client made pointer lock request, defined in
  // pointer-constraints-unstable-v1.xml extension protocol.  True if the client
  // can lock the location of the pointer and disable movement, or return false
  // to reject the pointer lock request.
  virtual bool CanLockPointer(aura::Window* window) const;

  // Whether clients may set their own windows' bounds is a security-relevant
  // policy decision.
  //
  // If server-side decoration is used, clients normally should not set their
  // own window bounds, as they may not be able to compute them correctly
  // (accounting for the size of the window decorations).
  virtual SetBoundsPolicy CanSetBounds(aura::Window* window) const;
};

}  // namespace exo

#endif  // COMPONENTS_EXO_SECURITY_DELEGATE_H_